Software services (e.g., antivirus, firewall, intrusion detection, storage caching, compression, deduplication, encryption, etc.) rely on I/O interception or forwarding to monitor or modify the data communication between a source and a destination in a communications network. Several techniques are commonly used to monitor or intercept I/O traffic. One technique relies on the operating system (OS) kernel and requires installing new drivers or kernel modules or modifying existing ones for different OS. A software service may remain visible and vulnerable to attacks if the software service runs under the same OS used to run the applications. This particular limitation may be a problem for security software such as an antivirus or a firewall because it may be neutralized by some malicious application. In addition, the software needs to be installed and managed individually for every OS instance including virtual machines (VMs) or physical servers.
Another technique relies on the I/O virtualization framework at the OS or hypervisor level. Using this model, the software service may leverage the virtualization layer to intercept the I/O traffic agnostically to the OS and protect the software service from external attacks. Unfortunately, this model may be used only by hypervisor vendors unless the developer of the software signs an agreement with the hypervisor vendor to get access to internal and closed application programming interfaces (APIs), which usually limit the software service capabilities. In addition, the software service may require a different implementation for each hypervisor vendor. This is not compatible with the best performing I/O virtualization models and requires the usage of para-virtual drivers or emulation techniques to intercept the I/O traffic at the hypervisor level. Finally, using this model, the software service runs in each hypervisor and consumes processor, memory and I/O resources of each server.
One other technique requires directly connecting a physical or virtual appliance to the wire over which data is communication (e.g., Cisco Catalyst 6500, IBM Real-time compression appliance) and may force changes in the network topology to route all the traffic to the appliance before the data is delivered to the destination. This model may complicate the network configuration, network management and may degrade performance if the appliance has limited throughput and thus becomes a bottleneck hazard. Also, an appliance requires periodic maintenance, repairs and upgrades. To simplify the deployment, management and configuration, some vendors also offer services integrated into expensive physical appliances (e.g., switches) or rely on address take-over capability, if it is supported by the underlying protocol.